04/09/2015

Today’s Lesson in Data Privacy: Educating the Educators?

by Neil Farquharson

The marketplace for stolen data is active and alive within the Web. While the going rate for a stolen Social Security number is only about $1, medical records and banking information – both rarer and more data-rich – can earn anywhere from $50 to $1,000! Looking at the headlines over the past year – Target, Sony, J.P. Morgan, etc. – it makes sense that hackers set their sights on these companies because they deal with credit card numbers, Social Security numbers, bank account numbers and health records on a daily basis. But, hackers continue to evaluate new targets. Recently, the University of Chicago, University of Auburn and UC Riverside all reported data breaches, exposing the SSNs, logins, academic information and email addresses of hundreds of thousands of current and former employees and students. Between the Bursar’s Office, the student health center, financial aid information and academic records, there are vast amounts of sensitive data at the average junior college or four-year university that students, teachers and staff alike would not want to be leaked. While the study is just about a year old, the Ponemon Institute reports that the education industry has the second highest per-capita data breach cost of all industries at $294, with the overall mean per U.S. industry costing $201. And in most cases, data breaches are caused by a remote, malicious attack. In addition to being a treasure trove of data — unlike healthcare and financial institutions — there aren’t security mandates in place. This lets higher education institutions take a more laissez-faire approach to security. Regardless, these institutions need to step up their levels of protection to prevent unauthorized access. Beta News posted a handy infographic that is a great resource for higher education IT departments concerned with privacy. It details five practices that include automated backups for lost data retrieval, real-time security platforms, compliance frameworks, security reports and data archiving. But we noticed one piece to the puzzle was missing: email security. Email can be as easy for a hacker to read as a postcard passing through the mail. Sure there are harmless emails passed between student and professor discussing an upcoming assignment, but what about emails containing some of the sensitive information discussed above? Without the proper security measures in place, an unauthorized person can capture emails as they travel across the Internet, and worse, the institution may never know it’s happening. While email encryption isn’t the silver bullet to safeguarding sensitive information at universities, it should definitely be part of the overall solution. Protecting email isn’t painful or difficult. It can actually be as easy as hitting “send.” Before evaluating solutions, take a look at the email encryption checklist.